9 Replies Latest reply on Apr 25, 2012 9:20 AM by rhauch

    Configuration using AuthenticationProvider/AuthorizationProvider

    djg2002

      This is sort of a continuation of the previous thread I had on this but since I've figured out the issues I had with loading the JcrEngine I figured it warrants a new thread.

       

      Everything works fine as anonymous, so I've removed JAAS config, and revoked anonymous access in the config below. I followed the outline in docs section 6.5.2

      My CustomAuthenticationProvider is instantiated by Spring and the SecurityContextis injected into it, but the public ExecutionContext authenticate(...) method never gets called. 

       

      I put@PostConstruct methods to confirm everything is getting configured so any idea why I don't get the providers CustomSecurityContext?  Classes also below for reference

       


      Config:


      <mode:repositories>

          <mode:repository jcr:name="tbuk_repository" mode:source="file_system_source">


             <mode:options jcr:primaryType="mode:options">

                 <jaasLoginConfigName jcr:primaryType="mode:option"  mode:value="" />

                 <anonymousUserRoles jcr:primaryType="mode:option"  mode:value="" />

             </mode:options>


             <mode:authenticationProviders>

                 <mode:authenticationProvider jcr:name="customModeshapeAuthenticationProvider"

                                        mode:classname="com.uk.tech.jcr.security.CustomAuthenticationProvider" />

                 </mode:authenticationProviders>

          </mode:repository>

      </mode:repositories>


      <mode:sources jcr:primaryType="nt:unstructured">

         <mode:source jcr:name="file_system_source" mode:classname="org.modeshape.connector.filesystem.FileSystemSource" ...

      .../>



      my AuthenticationProvider:


      @Configurable (preConstruction = true)

      public class CustomAuthenticationProvider implements AuthenticationProvider {


          @Autowired

          SecurityContext securityContext;


          private static final Logger log = LogUtil.getLogger();


          @PostConstruct

          public void postC() {


              // This is executed ok

              if (securityContext != null) {

                  log.info("In @PostConstruct, SecurityContext class : " + securityContext.getClass().getName());

              }

              else {

                  log.warn("In @PostConstruct, SecurityContext is NULL");

              }

          }


          @Override

          public ExecutionContext authenticate(Credentials credentials, String repositoryName, String workspaceName, ExecutionContext repositoryContext, Map<String, Object> sessionAttributes) {


              // Doesn't get executed

              log.info("Enriching ExecutionContext with SecurityContext for user {}", securityContext.getUserName());


              System.out.println("\n\n\n&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\n\n\n"); // Make any execution stand out a mile


              return repositoryContext.with(securityContext);

          }

      }


       

      my SecurityContext:

       

      @Component

      public class CustomSecurityContextImpl implements SecurityContext, AuthorizationProvider {

       

          @Autowired

          CustomUserDetailsManager userDetailsManager;

       

          @Autowired

          WorkspaceRole workspaceRole;

       

          private static final Logger log = LogUtil.getLogger();

       

          @PostConstruct

          public void postC() {

              // Executes ok, but rest of the methods are never called

              log.info("In @PostConstruct {}");

          }

       

      ...

       

      }

        • 1. Re: Configuration using AuthenticationProvider/AuthorizationProvider
          rhauch

          I haven't used Spring for many years, but ModeShape expect does expect to instantiate the AuthorizationProvider, and I'm not sure how it's possible to inject objects into the object created by ModeShape.

          • 2. Re: Configuration using AuthenticationProvider/AuthorizationProvider
            djg2002

            The @Configurable annotation tells Spring the class is instantiated 'manually'. Once it picks this up it does the dependency injection, confirmed in @PostConstruct which Spring runs prior to slotting into its context.

             

            Pretty sure this isn't Spring this time because the logs show things are instantiated/injected as expected, just not getting the call to public ExecutionContext authenticate() from Modeshape. when I try repository.login()

             

            I'll see what happens if instantiate this manually.

            • 3. Re: Configuration using AuthenticationProvider/AuthorizationProvider
              rhauch

              The first AuthorizationProvider to successfully authenticate wins. I see you've disabled JAAS and anonymous (though anonymous should be the last provider used). Have you tried getting this to work outside of Spring? Also, I'd try cranking up logging to debug (it may not be of any help, but it's worth a shot).

              • 4. Re: Configuration using AuthenticationProvider/AuthorizationProvider
                djg2002

                I went with completely unmanaged POJOs, expecting null pointer exception when Modeshape makes a call to authenticate(...) - none of the implementations references are set - but this definitely doesn't gets called

                 

                 

                Perhaps the authentication provider is fine, the exception I'm getting - after removing anonymous access - is:

                 

                 

                javax.jcr.LoginException: "tbuk_workspace" is not a valid workspace name for the "file_system_source" repository...

                ...

                Caused by: java.security.AccessControlException: Permission denied to perform actions "read" on path <unknown>

                          at org.modeshape.jcr.JcrSession.checkPermission(JcrSession.java:442)

                          at org.modeshape.jcr.JcrRepository.sessionForContext(JcrRepository.java:1561)

                 

                 

                tbuk_workspace is the default workspace in the config I truncated. (mode:defaultWorkspaceName="tbuk_workspace"). 

                • 5. Re: Configuration using AuthenticationProvider/AuthorizationProvider
                  djg2002

                  Added JIRA  https://issues.jboss.org/browse/MODE-1451

                   

                  There's a wrinkle in the order providers are iterated for login attempts.  Although there is a workaround it makes the config more fragile than it needs to be, and sensible default of 'try custom before anonymous' (i.e. readwrite before readonly) isn't possible using a custom provider.  Not sure if it interferes with the JAAS provider which is why it might not have been picked up until now.

                   

                  Run the attached code demonstrating the issue.

                   

                  One thing still outstanding is that the session.getUserID() returns '<anonymous>', the CustomSecurityContext isn't getting used.  Is there a configuration option to inject this into the authenticationProvider?  If not I'll do some more digging to see where this comes from / if there is also an issue with this - basically I'm still not seeing a call to CustomAuthenticationProvider.authenticate() but it _is_ being instantiated.

                  • 6. Re: Configuration using AuthenticationProvider/AuthorizationProvider
                    djg2002

                    OK, found another issue!  (sorry, turning into a bit of a running commentary... )  if you comment out the anonymousProvider in the config then the custom provider doesn't get instantiated at all!  I put a breakpoint on JcrRepository line 994 ( LOGGER.debug("Finished initializing the authentication providers for the '{0}' repository.", repositoryName());  )  the authenticators only has a (presumably default/full access) anonymous provider.   I'll see if I can find the cause....

                    • 7. Re: Configuration using AuthenticationProvider/AuthorizationProvider
                      rhauch

                      Yup, found the issue with both problems. (See MODE-1451 for details.) These will be fixed in 2.8.1.Final, which is due out in a couple of weeks or so (maybe sooner).

                       

                      Thanks for reporting these. If you find anything else, please let us know.

                      • 8. Re: Configuration using AuthenticationProvider/AuthorizationProvider
                        djg2002

                        Hi Randal - Do you know the 2.8.1.Final release date yet?

                         

                        Thanks

                        • 9. Re: Configuration using AuthenticationProvider/AuthorizationProvider
                          rhauch

                          We're planning to release 2.8.1.Final tomorrow, April 26th.